50% of UK organisations are flouting the ‘EU Cookie Law’

More than 50% of UK organisations across private and public sectors are failing to comply with the EU Directive on Privacy and Electronic Communications by not being clear enough with web visitors about cookies, new research from KPMG reveals. This figure has dropped from 80% in 2012, but still represents a fairly poor response to the legislation.

Flouting the ‘EU Cookie Law’, which was designed to protect internet users from intrusive tracking and marketing material, could spell fines of up to £500,000, if user privacy is found to be breached.

KPMG’s analysis of 55 major organisations shows that even some of those that complied with the law when it was first introduced a year ago are now falling foul of the legal requirements. Just 2% of the websites visited were found to be asking for users’ explicit consent to use cookies, a figure which has halved since September 2012. Meanwhile, only 4% percent have become fully compliant by not setting cookies on their websites at all.

Of the remaining websites analysed, 43% use ‘implicit’ messages about installing cookies on users’ computers, usually via a pop-up box that appears on the website and can easily be dismissed by the user without reading. While securing this ‘implicit’ consent is enough to comply with the law in the UK, it doesn’t fully satisfy the requirements of the EU Directive, which requires organisations to seek users’ explicit consent before installing cookies.

Stephen Bonner, a partner at KPMG, has made an interesting point about how organisations will react to future legislation, given their patchy response to the ‘EU Cookie Law’. After all, if so many organisations are flouting current directives around cyber space and user privacy, what’s to stop them ignoring future legislation?

“The fact remains that cookies monitor users’ website activity, which, if used without prior knowledge for marketing and other purposes, is a breach of privacy,” Bonner says. “By adopting this implicit approach, organisations are assuming individuals have previously consented to receiving cookies. We would therefore question whether the ‘Cookie Law’ has achieved what it set out to do and whether the threat of fines is enough to change organisations’ behaviour.”

For more details on how to comply with the ‘EU Cookie Law’, please visit the ICO website